Interesting...so it's Outlook's fault, eh?
Understand about text files...they would be next to impossible to determine
what the content really was without greatly increasing processing time and a
lot of effort. However, I still think it is very valuable to add detection
of the obvious types like
IIRC, Scott had said before that 1.78 was set to become a new release before
all of these viruses, so I would think that anything not related to these
new virus features is very stable (I haven't seen any discussions about
other problems). In other words, it should be good to go, but it is your
ca
We do already have some support for that in Declude Virus Pro. But, the
problem is that it often isn't possible to tell what the file type is
without the extension. In this case, it would be very difficult to
distinguish a .js file from a .txt file, for example.
There is another problem, too
We have been running the latest interims for a couple of weeks (since
the EZIP stuff came out). We are seeing the following error in the
virus logs:
03/18/2004 07:25:33 Qa32252df006a099c Could not find parse string
Infection: in report.txt
03/18/2004 07:25:33 Qa32252df006a099c Error 8 in virus sc
Does the SKIPIFFORGING include the Vulnerabilities?
Yes, it does.
I was just looking into why I was not receiving Vulnerability
notifications and it appears the
SKIPIFFORGING is stopping these from being sent. As an administrator, I
would like to receive those in case it might be a legit messag
Scott,
What are your thoughts on the /AI and /PACKED switches? Any particular
reason to use or not use them?
Darin.
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 10:57 AM
Subject: Re: [Declude.Virus] Log error wi
Hello,
Does the SKIPIFFORGING include the Vulnerabilities? I was just looking into
why I was not receiving Vulnerability notifications and it appears the
SKIPIFFORGING is stopping these from being sent. As an administrator, I
would like to receive those in case it might be a legit message. Is t
Seeing as how we are now at Bagle.T, it seems
pretty likely that Bagle.Z is just around the corner.
What comes after Bagle.Z ???
If the above offended anyone, I am
sorry.
I'm just trying to find some humor in what has made
most of our lives pretty difficult for the last couple of weeks.
Scott,
We are seeing something similar since upgrading to interim release 178i27.
Logs:
03/18/2004 11:19:34 Qcc0742d003962ecf Could not find report file
D:\IMAIL\spool\Dcc0742d003962ecf.vir\report.txt.
03/18/2004 11:19:34 Qcc0742d003962ecf Scanned: Banned file extension. [MIME: 2 22185]
03/18/20
You might want to use the 32b version of the scanner, as well.
# F-PROT - 1st scanner
SCANFILE1 C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT
/DUMB /REPORT=report.txt
VIRUSCODE1 3
VIRUSCODE1 6
REPORT1 Infection:
Thursday, March 18, 2004, 9:57:41
Turns out it was, and this also makes sense. Outlook only munged the
name and not the file. Here's the base64 code for the spacer image
along with the link and JavaScript is used to generate arguments
appended to the link:
- Actual Attachment (GIF) -
Content-Type: application/octet-st
- Original Message -
From: "Darin Cox" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 8:08 AM
Subject: Re: [Declude.Virus] Log error with latest interim release
> Scott,
>
> What are your thoughts on the /AI and /PACKED switches? Any particular
> reason to us
We have this in vulnerability notifications:
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
Will this work ?
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 2:17 PM
Subject: RE: [Declude.Virus] Virus wars heat up: Bagle.Q
03/18/2004 11:20:01 Qcc24005d0536a2e6 Error 128 in virus scanner 1.
03/18/2004 11:21:09 Qcc661aa8032aa581 Error 128 in virus scanner 1.
F-Prot doesn't define an exit code of 128 -- I would recommend reinstalling
F-Prot and/or moving to the latest version of F-Prot.
We have this in vulnerability notifications:
SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability
Will this work ?
Yes, that will work. Those E-mails will only get sent out if a
vulnerability is detected.
-Scott
---
Declude JunkMail: The advanced anti-spa
I mean will these notifications still get sent for these new beasts
- Original Message -
From: "Serge" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 5:00 PM
Subject: [SpamIndex=10]Re: [Declude.Virus] Virus wars heat up: Bagle.Q can't
be detected as a virus by
I mean will these notifications still get sent for these new beasts
Since these new viruses will be detected and handled the same way as
vulnerabilities, the "SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability" line will
work fine (handling these the same way as any other vulnerability).
I've only seen two of these so far, and according to McAfee, over 90%
of the hosts have been shut down:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101108
-- Update March 18th 2004 06:45 PST --
The majority of the 590 IP addresses seen have been closed down. At the
time
Scott,
I to am recording an error:
"Could not find parse string Infection: in report.txt"
Circumstances are occuring only with fprot, and only on banned extensions or on
[banned] encrypted zips. I only looked at todays logs so I really do not know if it
started with the latest interim release
I to am recording an error:
"Could not find parse string Infection: in report.txt"
That is normal, if the virus scanner does not detect a virus (but instead
reports a vulnerability).
-Scott
---
Declude JunkMail: The advanced anti-spam solution
I just upgraded to version 3 and am still seeing this. I will contact
F-Prot to see if they can give me some insight on this.
Sincerely,
Grant Griffith, Vice President
EI8HT LEGS Web Management Co., Inc.
http://www.getafreewebsite.com
877-483-3393
-Original Message-
From: [EMAIL PROTECTE
> >"Could not find parse string Infection: in report.txt"
>
> That is normal, if the virus scanner does not detect a virus (but instead
> reports a vulnerability).
Gotcha. So it just different virus scanners clsify threats differently?[ The other
scanners are flagging these as viruses.]
Is ther
Gotcha. So it just different virus scanners clsify threats differently?[
The other
scanners are flagging these as viruses.]
If F-Prot returns an exit code other than 6, it did not detect a virus.
Is there a way to display different strings from reportt.txt?
No.
what is the vulnaribilité type these new virus/vuln will show in the
virusname variable?
"OBJECT CODE Vulnerability"
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable vir
what is the vulnaribilité type these new virus/vuln will show in the
virusname variable?
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 5:19 PM
Subject: Re: [SpamIndex=10]Re: [Declude.Virus] Virus wars heat up: Bagle
Hi Bill,
Yeah, I had seen your configs...just wanted to get Scott's feedback on
the -AI and -PACKED switches.
Darin.
- Original Message -
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 12:00 PM
Subject: Re: [Declude.Virus] Log error with
Meant version E. Sorry, been a long day.
Sincerely,
Grant Griffith, Vice President
EI8HT LEGS Web Management Co., Inc.
http://www.getafreewebsite.com
877-483-3393
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grant Griffith -
Declude Virus
Sent: Thursday,
Right, so if we detected actual file type (GIF instead of .js=NO), we would
know that it was a .gif and therefore not a threat...so it wouldn't get
banned.
Darin.
- Original Message -
From: "Matt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 11:50 AM
Subjec
My understanding is that Scott does not think they are necessary, and that
may be true. However, F-Prot must have had some reason for adding those
switches (especially the PACKED switch), so I use them - just to be safe...
Bill
- Original Message -
From: "Darin Cox" <[EMAIL PROTECTED]>
T
After Bagle.Z, I
usually have a cup of coffee. Why do you
ask? J
Todd Holt
Xidix Technologies, Inc
Las Vegas, NV USA
702.319.4349
www.xidix.com
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Pereira
Sent: Thursday, March 18,
Scott, your thoughts?
From what I have seen, AV heuristics just don't do a good enough job to be
useful. Specifically, they seem to catch legitimate E-mails regularly
(typically .doc/.xls files). However, depending on your needs, it may be
worthwhile to use the heuristics, if the occasional
Scott, your thoughts?
Darin.
- Original Message -
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 12:58 PM
Subject: Re: [Declude.Virus] Log error with latest interim release
My understanding is that Scott does not think they are necessar
Thanks for the input, Scott.
Darin.
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 1:12 PM
Subject: Re: [Declude.Virus] Log error with latest interim release
>Scott, your thoughts?
From what I have seen, AV he
Anyone else having problems with CPU at 100% after updating to Declude
1.78i27 and the f-prot 3.14e?
I have reverted back to previous versions of both products and still no let
up on CPU; spool directory just keeps climbing...
Sincerely,
Randy Armbrecht
Global Web SolutionsR, Inc.
804-346-5300
Anyone else having problems with CPU at 100% after updating to Declude
1.78i27 and the f-prot 3.14e?
I have reverted back to previous versions of both products and still no let
up on CPU; spool directory just keeps climbing...
If you go to the Task Manager, click on the Processes tab, and click th
I thought that these notes for the last 2 releases of F-Prot would be
interesting. Here you go, fresh from F-Prot tech Support:
Cheers,
Adrian
--- snip ---
MAJOR ENHANCEMENTS
--
Version 3.14d changes some defaults
The default of the /ARCHIVE switch is now to scan only "on
So what is the best command line to use with 3.14e?
Ben
BC Web
- Original Message -
From: "Adrian Titei" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 2:03 PM
Subject: [Declude.Virus] F-Prot 3.14 d&e Rel. Notes
> I thought that these notes for the last 2 rel
Good info...but not quite enough.
So if you put F-Prot into /SERVER mode, what exactly will it report on,
and what code will it report (6 or 8)? And something else; did they
reverse some words here?
"Those heuristics will for example complain about encrypted
executable files within archive
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, March 18, 2004 4:53 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Imail Queue Manager/SMTP at 100% after declude
& f-prot updates
>Anyone else having problems with C
I have been following the recent threads but I have not seen a definitive
answer. Most likely because it is still so new (F-prot 3.14E). Some help
would be greatly appreciated.
What about the /SERVER setting? Any advantage to using it.
I am also a bit confused about the Viruscode settings.
I
40 matches
Mail list logo
